This is an entirely new category and it has become one of the most important areas of next-generation network and data protection. Over the course of the past year or so we have been watching this category. When a new approach to security appears on the horizon we always are interested, if a bit skeptical. Over the years there have been a lot of "promising" approaches to security that claim to be game changers. So it should come as no surprise that those of us in this business might become a bit jaded by the hype that tends to surround these pronouncements. Having said that, it certainly appears to us that this emerging category is the real deal.
Most consumers and potential consumers really don't understand exactly what this category really means.
One of the big problems we face in securing our systems – more than ever over the past couple of years – is understanding against what we are protecting them. Cyberthreat analysis and intelligence helps answer that question. Note that we say “helps." There is no silver bullet and this, at present anyway, is not one. But it does have promise. The real problem at the moment is that most consumers and potential consumers really don't understand exactly what this category really means. They see it in the framework of vendor hype and their expectations are very badly set. The vendors that we have selected this year don't subscribe to the over-blown expectations for cyberthreat intelligence.
Another important issue is that these vendors readily accept that there is no single size that fits all. True cyberthreat intelligence as we see it today is a fragmented field and to take full advantage of it we need to deploy multiple applications. This may not be the case going forward and we believe that it is likely that one or more of this year's Innovators in this new category will be a game-changer. Or, perhaps, it might be an Innovator that we have yet to see.
So with that in mind let's take a look at one of the most interesting categories that we are examining this year.
Flagship product Silobreaker Cyber Security & Risk Intelligence
Cost From $30,000 per annum.
Innovation Bringing comprehensive open source intelligence to the cyber community.
Greatest strength Providing important context to cyber intelligence.
Silobreaker fits in the subcategory of open source intelligence. In the world of intelligence we have closed source (intelligence that is collected by agents in the field and not made generally available) and open source (intelligence that is available to the general public from sources such as the internet or news releases). Silobreaker is the best open source tool we ever have seen.
Silobreaker collects data from thousands of sources on the internet, collates it into coherent reports and presents it in a variety of ways to suit users.
This company didn't come from the cyberworld. It came from data analytics, general open source intelligence and financial analysis in open source data. The founders discerned that existing systems were poor in analytics so they teamed with specialists from the data side – one who was adept at dealing with structured and one who worked with unstructured data. The problem of structured and unstructured data is still present because there is too much data for most organizations to analyze. Today's data consists of internal and external data and structured versus unstructured data. Add in the Big Data model – high velocity, volume, variability and veracity – and you have a very difficult cocktail to consume.
Silobreaker's goal is to make data easily customizable, removing the disconnect between access to data (too much data) and being “in the know." We believe they have met that challenge nicely.
While other companies tend to focus on technical data and tactical response, they do not have the ability to see the bigger picture and understand the “why,” which comes from global context. Silobreaker takes a different approach that seems to be very successful for them. They believe that cybersecurity is not just an IT problem. It's much bigger than just telling the CISO “deal with it." That, we believe, is the major differentiator that this Innovator brings to our field. And that's why we have added them to our Innovators section for 2015.
Vendor Intel 471
Flagship product Threat actor intelligence collection.
Cost Under NDA and depends on use.
Innovation Bringing threat actor intelligence to the information security community.
Greatest strength Extremely strong grounding in the global intelligence community and the ability to translate that experience into useful/actionable cyberthreat actor intelligence.
This is a most unusual, and welcome, addition to the intelligence resources available to the information security community. The differentiator – and the reason Intel 471 has ended up in our Innovator issue this year – is that this Innovator focuses – successfully – strictly on threat actors. This is not open source intelligence in the traditional sense of the term. Rather, it is more closed source in that the intelligence gathered is based on first-hand knowledge in the countries of the malefactors participating in the forums. To say more would be to “burn” the company's operatives. Suffice it to say that we have been depending on this source in our research since before the company introduced in June of this year.
This organization follows a database of 10 million threat actors with a regular view of over nine million. This is a company that never stops innovating. On the drawing board is a smaller, more compact, version for organizations that are not quite as sophisticated as the company's regular target audience. Additionally, one innovation – and one we really like – is connecting with Maltego, a tool that might best be described as an internet link analyzer on steroids. All one needs to do is to select a threat actor from within Intel 471 and insert that actor into Maltego.
Overall, Intel 471 brings an entirely new dimension to cyberthreat intelligence gathering. While it is a pretty solid tool in its own right, when used with other intelligence tools, such as Silobreaker and Norse, it adds a powerful dimension to understanding the threats against your enterprise. This is not a tool for organizations with under-developed intelligence operations. It is without doubt a sophisticated intelligence gathering tool. The new “lite” version, when it is available, will solve that issue and make intelligence at the threat actor level consumable by most organizations.
We really like this tool. It has done a great job for us and we believe that, as an Innovator, Intel 471 brings a view of the threatscape to analysts that is at the top of the intelligence community. When mixed with other intelligence tools, you have an unparalleled resource of understanding threats against your enterprise.
Flagship product Norse Appliance and Norse Intelligence Service
Cost Highly customizable – depends on products, services and size of the customer.
Innovation Leading the charge in moving from threat intelligence to cyberintelligence
Greatest strength Diversity within the cyberthreat continuum.
Norse is the big noise in cyberintelligence and with good reason. They are a nearly perfect mix of cyberintelligence in general and what we refer to as “bits and bytes” intelligence. There are important players in the open source and threat actor intelligence niches and there are solid players in the pure bits and bytes offerings, but there are none as comprehensive as Norse that straddle both communities. Norse is an excellent mix of knowing what is happening on the internet and knowing, as well, what that knowledge means in the overall threat intelligence community.
Probably Norse's biggest innovation, from the perspective of the information security industry in general, is the launch of its client and threat intelligence service. When discussing cyberthreat intelligence most people think of it as lists of IPs, malware and attacks. However, there is much more to cyberthreat management than that. Norse provides its services through an appliance and through its Intelligence Service. Because the appliance is constantly updating through the Norse cloud, it is far more efficient. Of course, the intelligence service is an excellent way for analysts to stay current with the cyberthreatscape, but for integration with other security tools you need the appliance. The appliance operationalizes that.
To complement the appliance there is the Norse Intelligence Service. Norse uses an intelligence SOC model. The appliance compares with Norse's datastore. While the service and the appliance can be individually bought, they also can be bought together and usually are. For Norse, it's all about context. For a long time, organizations have been myopically focused on their own networks. However, we need to see “over the hill." The proactive view has been the missing piece. Norse claims that it is striving to blaze a new trail, not to build a new firewall, DLP or SIEM – products that have become commoditized. In today's cyberenvironment, prevent, detect and respond is not good enough. For that reason Norse goes beyond the simple concept of threat intelligence to cyberintelligence.
Norse is able to apply tens of millions of rules to extremely high packet rates. In addition to their appliance and Intelligence Server, the company does incident response support. It teams with other vendors and provides forensic services. Norse also has a counter-intelligence team. The name of the game for this Innovator is adding more useful and important features, and being more and more proactive.
Flagship product Securonix Security Analytics Platform
Cost $100K and up.
Innovation Application of security analytics to the problem of behavior analysis.
Greatest strength Deep experience in analysis algorithms and machine learning.
Securonix is heavy on the threat analysis piece. And not just a particular threat. This is a product that really enjoys drinking from the Big Data fire hose. Lest you think that we have succumbed to marketing hype and are tossing around buzz phrases, such as “Big Data," let us assure you that we mean it in the strictest sense. Big Data usually is defined by the four Vs: high velocity, variability, volume and veracity. That means that this Innovator can ingest lots of data that is rapidly changing and is being delivered and ingested at wire speeds all while losing none of its integrity. So, the next question is what can the tool do with this data? The answer is just about anything you want.
The reason for this very directed approach is that Securonix started out as analytics specialists and built from that basis of expertise. They believed that there was a big hole in most security programs. These programs start by looking at everything on the enterprise in terms of identity. They realized that since they were attaching the right ID to everything on the enterprise, there might be a lot more that could be done to protect the network. So they added behavioral analytics, making them the only pure-play security analytics provider.
The system creates baselines, understands what "normal" is, and picks out anomalies. It does not rely on signatures or policy-based analysis because those things, by themselves, don't work. The Securonix platform is very heavy on anomaly detection and assessing outlier behavior. Then it correlates discovered behavior with many threat intelligence feeds and brings in contextually rich information.
One neat example is that they can connect directly with an HR system to identify high risk employees based on their behavior. As far as we know, they are the only folks that do this. They also are able to catch significant breaches very early in the game, preventing damage to data or the system. Sophisticated algorithms and machine learning are the heart of their systems. Unauthorized access is the cornerstone, and their algorithms pinpoint that based on behavior. The tool is centrally deployed and uses no agents. They leverage all existing security apps and watch logs in real time.